This topic describes the log fields of Security Center.

Real-time logs

Field name Description Example
dir The direction of the network connection. Valid values:
  • in: inbound
  • out: outbound
in
src_ip The source IP address.
  • If the value of dir is out, the value of this field is the IP address of your host.
  • If the value of dir is in, the value of this field is the IP address of the peer host.
10.240.XX.XX
src_port The source port. 24680
dst_ip The destination IP address.
  • If the value of dir is out, the value of this field is the IP address of the peer host.
  • If the value of dir is in, the value of this field is the IP address of your host.
10.240.XX.XX
dst_port The destination port. 22
status The status of the network connection.
Note In real-time logs, the value of this field is random. You can ignore this field.
2
type The type of the real-time network connection. Valid values:
  • connect: TCP connection initiated
  • accept: TCP connection received
  • listen: port listening
listen

Snapshot logs (asset fingerprints)

Field name Description Example
proc_path The path of the process. "/usr/sbin/sshd"
proc_cmdline The command line of the process. "/usr/sbin/sshd -D"
pid The ID of the process. 1158
ppid The ID of the parent process. 1
dir The direction of the network connection. Valid values:
  • in: inbound
  • out: outbound
in
src_ip The source IP address.
  • If the value of dir is out, the value of this field is the IP address of your host.
  • If the value of dir is in, the value of this field is the IP address of the peer host.
10.240.XX.XX
src_port The source port. 24680
dst_ip The destination IP address.
  • If the value of dir is out, the value of this field is the IP address of the peer host.
  • If the value of dir is in, the value of this field is the IP address of your host.
10.240.XX.XX
dst_port The destination port. 22
status The status of the network connection. Valid values:
  • 1: TCP_STATE_CLOSED
  • 2: TCP_STATE_LISTEN
  • 3: TCP_STATE_SYN_SENT
  • 4: TCP_STATE_SYN_RCVD
  • 5: TCP_STATE_ESTABLISHED
  • 6: TCP_STATE_CLOSE_WAIT
  • 7: TCP_STATE_CLOSING
  • 8: TCP_STATE_FIN_WAIT1
  • 9: TCP_STATE_FIN_WAIT2
  • 10: TCP_STATE_LAST_ACK
  • 11: TCP_STATE_TIME_WAIT
2

Network logs

Domain Name System (DNS) logs

Field name Description Example
additional The additional field. Multiple additional fields are separated by vertical bars (|). None
additional_num The number of additional fields. 0
answer The DNS answer. Multiple DNS answers are separated by vertical bars (|). example.com A IN 52 1.2.XX.XX
answer_num The number of DNS answers. 1
authority The authority field. NS IN 17597
authority_num The number of authority fields. 1
client_subnet The subnet of the client. 172.168.XX.XX
dst_ip The destination IP address. 1.2.XX.XX
dst_port The destination port. 53
in_out The direction of data transmission. Valid values:
  • in: inbound
  • out: outbound
out
qid The ID of the query. 12345
qname The domain name that is queried. example.com
qtype The type of the query. A
query_datetime The timestamp of the query. Unit: milliseconds. 1537840756263
rcode The code returned. 0
region The ID of the source region. Valid values:
  • 1: China (Beijing)
  • 2: China (Qingdao)
  • 3: China (Hangzhou)
  • 4: China (Shanghai)
  • 5: China (Shenzhen)
  • 6: other regions
1
response_datetime The response time. 2018-09-25 09:59:16
src_ip The source IP address. 1.2.XX.XX
src_port The source port. 22

Internal DNS logs

Field name Description Example
answer_rda The DNS answer. Multiple DNS answers are separated by vertical bars (|). example.com
answer_ttl The time to live (TTL) of the DNS answer. Multiple TTLs are separated by vertical bars (|). 100
answer_type The type of the DNS answer. Multiple types are separated by vertical bars (|). 1
anwser_name The name of the DNS answer. Multiple names are separated by vertical bars (|). example.com
dest_ip The destination IP address. 1.2.XX.XX
dest_port The destination port. 53
group_id The ID of the group. 3
hostname The name of the host. hostNmae
id The ID of the query. 64588
instance_id The ID of the instance. i-2zeg4zldn8zypsfg****
internet_ip The public IP address. 1.2.XX.XX
ip_ttl The TTL of the IP address. 64
query_name The domain name that is queried. example.com
query_type The type of the query. A
src_ip The source IP address. 1.2.XX.XX
src_port The source port. 1234
time The timestamp of the query. Unit: seconds. 1537840756
time_usecond The response duration. Unit: microseconds. 49069
tunnel_id The ID of the tunnel. 514763

Network session logs

Field name Description Example
asset_type The type of the asset from which the logs are collected. Valid values:
  • ECS
  • SLB
  • RDS
ECS
dst_ip The destination IP address. 1.2.XX.XX
dst_port The destination port. 53
proto The protocol type. Valid values:
  • tcp
  • udp
tcp
session_time The time when the session starts. 2018-09-25 09:59:49
src_ip The source IP address. 1.2.XX.XX
src_port The source port. 54

Web access logs

Field name Description Example
content_length The length of the message body. Unit: bytes. 123
dst_ip The destination IP address. 1.2.XX.XX
dst_port The destination port. 54
host The host that is accessed. 47.XX.XX.158:8080
jump_location The redirection address. 123
method The HTTP request method. GET
referer The HTTP referer. The field contains the URL of the web page that is linked to the resource being requested. www.example.com
request_datetime The time when the request is initiated. 2018-09-25 09:58:37
ret_code The HTTP status code returned. 200
rqs_content_type The type of the request content. text/plain;charset=utf-8
rsp_content_type The type of the response content. text/plain; charset=utf-8
src_ip The source IP address. 1.2.XX.XX
src_port The source port. 54
uri The request URI. /report
user_agent The user agent that initiates the request. okhttp/3.2.0
x_forward_for The routing information. 1.2.XX.XX

Security logs

Vulnerability logs

Field name Description Example
name The name of the vulnerability. oval:com.redhat.rhsa:def:20182390
alias_name The alias of the vulnerability. RHSA-2018:2390: kernel security and bug fix update
op The operation on the vulnerability. Valid values:
  • new
  • verify
  • fix
new
status The status of the vulnerability. 1
tag The tag of the vulnerability. Valid values:
  • oval: Linux software vulnerability
  • system: Windows system vulnerability
  • cms: Web-CMS vulnerability
    Note A random string indicates other types of vulnerabilities.
oval
type The type of the vulnerability. Valid values:
  • sys: Windows system vulnerability
  • cve: Linux software vulnerability
  • cms: Web-CMS vulnerability
  • emg: urgent vulnerability
sys
uuid The UUID of the server. 1234-b7ca-4a0a-9267-12****

Baseline logs

Field name Description Example
level The severity of the risk item. Valid values:
  • high
  • medium
  • low
low
op The operation. Valid values:
  • new
  • verity: verification
new
risk_name The name of the risk item. Password compliance checks
status The information about the status. For more information, see Status codes of security logs. 1
sub_type_alias The alias of the sub type in Chinese. System account security
sub_type_name The name of the sub type. system_account_security
type_name The name of the check type. account
type_alias The alias of the type in Chinese. cis
uuid The UUID of the server on which risk items are detected. 12345-b7ca-4a0a-9267-123456

Baseline types and sub types

Type Sub type Description
hc_exploit hc_exploit_redis High risk exploit-Redis unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_activemq High risk exploit-ActiveMQ unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_couchdb High risk exploit - CouchDB unauthorized access high exploit risk
hc_exploit hc_exploit_docker High risk exploit - Docker unauthorized access high vulnerability risk
hc_exploit hc_exploit_es High risk exploit - Elasticsearch unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_hadoop High risk exploit - Hadoop unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_jboss High risk exploit - Jboss unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_jenkins High risk exploit - Jenkins unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_k8s_api High risk exploit - Kubernetes Apiserver unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_ldap High risk exploit - LDAP unauthorized access high exploit vulnerability risk (Windows)
hc_exploit hc_exploit_ldap_linux High risk exploit-OpenLDAP unauthorized access vulnerability baseline (Linux)
hc_exploit hc_exploit_memcache High risk exploit - Memcached unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_mongo High risk exploit - Mongodb unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_pgsql High risk exploit-Postgresql unauthorized access to high-risk risk baseline
hc_exploit hc_exploit_rabbitmq High risk exploit-RabbitMQ unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_rsync High risk exploit - rsync unauthorized access high exploit vulnerability risk
hc_exploit hc_exploit_tomcat
hc_exploit hc_exploit_zookeeper High risk exploit - ZooKeeper unauthorized access high exploit vulnerability risk
hc_container hc_docker Alibaba Cloud Standard -DockerSecurity Baseline Check
hc_container hc_middleware_ack_master CIS standard-Kubernetes(ACK) Master node security inspection inspection
hc_container hc_middleware_ack_node CIS standard-Kubernetes(ACK) node security inspection
hc_container hc_middleware_k8s Alibaba Cloud Standard-Kubernetes-Master security baseline check
hc_container hc_middleware_k8s_node Alibaba Cloud Standard-Kubernetes-Node security baseline check
cis hc_suse 15_djbh SUSE Linux 15 Baseline for China classified protection of cybersecurity-Level III
cis hc_aliyun_linux3_djbh_l3 Alibaba Cloud Linux 3 Baseline for China classified protection of cybersecurity-Level III
cis hc_aliyun_linux_djbh_l3 Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level III
cis hc_bind_djbh China's Level 3 Protection of Cybersecurity - Bind Compliance Baseline Check
cis hc_centos 6_djbh_l3 CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level III
cis hc_centos 7_djbh_l3 CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level III
cis hc_centos 8_djbh_l3 CentOS Linux 8 Baseline for China classified protection of cybersecurity - Level III
cis hc_debian_djbh_l3 Debian Linux 8/9/10 Baseline for China classified protection of cybersecurity-Level III
cis hc_iis_djbh IIS Baseline for China classified protection of cybersecurity-Level III
cis hc_informix_djbh China's Level 3 Protection of Cybersecurity - Informix Compliance Baseline Check
cis hc_jboss_djbh Jboss6/7 Compliance Baseline Check
cis hc_mongo_djbh MongoDB Baseline for China classified protection of cybersecurity-Level III
cis hc_mssql_djbh China's Level 3 Protection of Cybersecurity -SQL Server Compliance Baseline Check
cis hc_mysql_djbh Equal Guarantee Level 3-MySql Compliance Baseline Check
cis hc_nginx_djbh Equal Guarantee Level 3-Nginx Compliance Baseline Check
cis hc_oracle_djbh China's Level 3 Protection of Cybersecurity - Oracle Compliance Baseline Check
cis hc_pgsql_djbh Level 3-PostgreSql compliance baseline check
cis hc_redhat 6_djbh_l3 China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 6 Compliance Baseline Check
cis hc_redhat_djbh_l3 China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 7 Compliance Baseline Check
cis hc_redis_djbh Redis Baseline for China classified protection of cybersecurity-Level III
cis hc_suse 10_djbh_l3 SUSE Linux 10 Baseline for China classified protection of cybersecurity-Level III
cis hc_suse 12_djbh_l3 SUSE Linux 12 Baseline for China classified protection of cybersecurity-Level III
cis hc_suse_djbh_l3 SUSE Linux 11 Baseline for China classified protection of cybersecurity-Level III
cis hc_ubuntu 14_djbh_l3 Ubuntu 14 Baseline for China classified protection of cybersecurity-Level III
cis hc_ubuntu_djbh_l3 Waiting for Level 3-Ubuntu 16/18/20 compliance regulations inspection
cis hc_was_djbh China's Level 3 Protection of Cybersecurity - Websphere Application Server Compliance Baseline Check
cis hc_weblogic_djbh Weblogic Baseline for China classified protection of cybersecurity-Level III
cis hc_win 2008_djbh_l3 China's Level 3 Protection of Cybersecurity - Windows Server 2008 R2 Compliance Baseline Check
cis hc_win 2012_djbh_l3 Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level III
cis hc_win 2016_djbh_l3 Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level III
cis hc_aliyun_linux_djbh_l2 Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level II
cis hc_centos 6_djbh_l2 CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level II
cis hc_centos 7_djbh_l2 CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level II
cis hc_debian_djbh_l2 Debian Linux 8 Baseline for China classified protection of cybersecurity-Level II
cis hc_redhat 7_djbh_l2 Redhat Linux 7 Baseline for China classified protection of cybersecurity-Level II
cis hc_ubuntu_djbh_l2 Linux Ubuntu 16/18 Baseline for China classified protection of cybersecurity-Level II
cis hc_win 2008_djbh_l2 Windows 2008 R2 Baseline for China classified protection of cybersecurity-Level II
cis hc_win 2012_djbh_l2 Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level II
cis hc_win 2016_djbh_l2 Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level II
cis hc_aliyun_linux_cis Alibaba Cloud Linux/Aliyun Linux 2 CIS Benchmark
cis hc_centos 6_cis_rules CIS CentOS Linux 6 LTS Benchmark
cis hc_centos 7_cis_rules CIS CentOS Linux 7 LTS Benchmark
cis hc_centos 8_cis_rules CIS CentOS Linux 8 LTS Benchmark
cis hc_debian 8_cis_rules CIS Debian Linux 8 Benchmark
cis hc_ubuntu 14_cis_rules CIS Ubuntu Linux 14 LTS Benchmark
cis hc_ubuntu 16_cis_rules CIS Ubuntu Linux 16/18/20 LTS Benchmark
cis hc_win 2008_cis_rules CIS Microsoft Windows Server 2008 R2 Benchmark
cis hc_win 2012_cis_rules CIS Microsoft Windows Server 2012 R2 Benchmark
cis hc_win 2016_cis_rules CIS Microsoft Windows Server 2016/2019 R2 Benchmark
cis hc_kylin_djbh_l3 China's Level 3 Protection of Cybersecurity - Kylin Compliance Baseline Check
cis hc_uos_djbh_l3 China's Level 3 Protection of Cybersecurity - uos Compliance Baseline Check
hc_best_secruity hc_aliyun_linux Alibaba Cloud Linux/Aliyun Linux 2 Benchmark
hc_best_secruity hc_centos 6 Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check
hc_best_secruity hc_centos 7 Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check
hc_best_secruity hc_debian Alibaba Cloud Standard - Debian Linux 8/9/10 Security Baseline
hc_best_secruity hc_redhat 6 Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check
hc_best_secruity hc_redhat 7 Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check
hc_best_secruity hc_ubuntu Alibaba Cloud Standard - Ubuntu Security Baseline
hc_best_secruity hc_windows_2008 Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check
hc_best_secruity hc_windows_2012 Alibaba Cloud Standard - Windows 2012 R2 Security Baseline
hc_best_secruity hc_windows_2016 Alibaba Cloud Standard - Windows 2016/2019 Security Baseline
hc_best_secruity hc_db_mssql Alibaba Cloud Standard-SQL Server Security Baseline Check
hc_best_secruity hc_memcached_ali Alibaba Cloud Standard - Memcached Security Baseline Check
hc_best_secruity hc_mongodb Alibaba Cloud Standard - MongoDB version 3.x Security Baseline Check
hc_best_secruity hc_mysql_ali Alibaba Cloud Standard - Mysql Security Baseline Check
hc_best_secruity hc_oracle Alibaba Cloud Standard - Oracle 11g Security Baseline Check
hc_best_secruity hc_pgsql_ali Alibaba Cloud Standard-PostgreSql Security Initialization Check
hc_best_secruity hc_redis_ali Alibaba Cloud Standard - Redis Security Baseline Check
hc_best_secruity hc_apache Alibaba Cloud Standard - Apache Security Baseline Check
hc_best_secruity hc_iis_8 Alibaba Cloud Standard - IIS 8 Security Baseline Check
hc_best_secruity hc_nginx_linux Alibaba Cloud Standard - Nginx Security Baseline Check
hc_best_secruity hc_suse 15 Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check
hc_best_secruity tomcat 7 Alibaba Cloud Standard-Apache Tomcat Security Baseline
weak_password hc_mongodb_pwd Weak Password-MongoDB Weak Password baseline(support version 2. X)
weak_password hc_weakpwd_ftp_linux Weak password - Ftp login weak password baseline
weak_password hc_weakpwd_linux_sys Weak password - Linux system login weak password baseline
weak_password hc_weakpwd_mongodb 3 Weak Password-MongoDB Weak Password baseline
weak_password hc_weakpwd_mssql Weak password - SQL Server DB login weak password baseline
weak_password hc_weakpwd_mysql_linux Weak password - Mysql DB login weak password baseline
weak_password hc_weakpwd_mysql_win Weak password - Mysql DB login weak password baseline(Windows version)
weak_password hc_weakpwd_openldap Weak password - Openldap login weak password baseline
weak_password hc_weakpwd_oracle Weak Password-Oracle login weak password detection
weak_password hc_weakpwd_pgsql Weak password - PostgreSQL DB login weak password baseline
weak_password hc_weakpwd_pptp Weak password - pptpd login weak password baseline
weak_password hc_weakpwd_redis_linux Weak password - Redis DB login weak password baseline
weak_password hc_weakpwd_rsync Weak password - rsync login weak password baseline
weak_password hc_weakpwd_svn Weak password - svn login weak password baseline
weak_password hc_weakpwd_tomcat_linux Weak password - Apache Tomcat Console weak password baseline
weak_password hc_weakpwd_vnc Weak password-VncServer weak password check
weak_password hc_weakpwd_weblogic Weak password-Weblogic 12c login weak password detection
weak_password hc_weakpwd_win_sys Weak password - Windows system login weak password baseline

Status codes of security logs

Status code Description
1 Unfixed.
2 Fixing failed.
3 Rollback failed.
4 Fixing.
5 Rolling back.
6 Verifying.
7 Fixed.
8 Fixed and to be restarted.
9 Rolled back.
10 Ignored.
11 Rolled back and to be restarted.
12 No longer exists.
20 Expired.

Status codes of alerts

Status code Description
1 Unhandled.
2 Ignored.
4 Confirmed.
8 Marked as false positives.
16 Handling.
32 Handled.
64 Expired.
128 Deleted.
512 Automatic blocking.
513 Automatically blocked.

Status codes of baseline logs

Status code Description
1 Baseline checks failed.
2 Verifying.
3 Baseline checks passed.
5 Expired.
6 Ignored.
7 Fixing.

Alert logs

Field name Description Example
data_source The data source. For more information, see Data source of alerts. aegis_login_log
level The severity of the alert event. The following valid values are listed in descending order:
  • serious
  • suspicious
  • remind
suspicious
name The name of the alert. Suspicious Process-SSH-based Remote Execution of Non-interactive Commands
op The operation. Valid values:
  • new
  • dealing
new
status The information about the status. For more information, see Status codes of security logs. 1
uuid The UUID of the server on which the alert is generated. 12345-b7ca-4a0a-9267-123456
detail The details of the alert.
Note The content of the detail field in the log varies based on the alert type. If you have questions about the parameters in the detail field when you view alert logs, you can submit a ticket for consultation.
The content of the detail field is long. The following content is extracted from the detail field in an alert log that is generated for an unapproved location logon to a server: {"loginSourceIp":"120.27.XX.XX","loginTimes":1,"type":"login_common_location","loginDestinationPort":22,"loginUser":"aike","protocol":2,"protocolName":"SSH","location":"Qingdao"}
unique_info The ID of the alert. 2536dd765f804916a1fa3b9516b5****

Data source of alerts

Value Description
aegis_suspicious_event Host exceptions
aegis_suspicious_file_v2 Webshell
aegis_login_log Unusual logons
security_event Security Center exceptions

Host logs

Process startup logs

Field name Description Example
uuid The UUID of the server where the process runs. 5d83b26b-b7ca-4a0a-9267-12****
ip The IP address of the client host. 1.2.XX.XX
cmdline The complete command to start the process. cmd.exe /C "netstat -ano"
username The username. administrator
uid The ID of the user. 123
pid The ID of the process. 7100
filename The name of the process file. cmd.exe
filepath The full path of the process file. C:/Windows/SysWOW64/cmd.exe
groupname The name of the user group. group1
ppid The ID of the parent process. 2296
pfilename The name of the parent process file. client.exe
pfilepath The full path of the parent process file. D:/client/client.exe
cmd_chain The process chain.
"[
    {
        ""9883"":""bash -c kill -0 -- -'6274'""
    },
    {
        ""19617"":""/opt/java8/bin/java -Dproc_nodemanager -Xmx8192m -Dhdp.version=2.6.XX.XX-292 -Dhadoop.log.dir=/var/log/hadoop-yarn/yarn -Dyarn.log.dir=/var/log/hadoop-yarn/yarn -Dhadoop.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.home.dir= -Dyarn.id.str=yarn -Dhadoop.root.logger=INFO,EWMA,RFA -Dyarn.root.logger=INFO,EWMA,RFA -Djava.library.path=:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir -Dyarn.policy.file=hadoop-policy.xml -Djava.io.tmpdir=/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir -server -Dnm.audit.logger=INFO,NMAUDIT -Dnm.audit.logger=INFO,NMAUDIT -Dhadoop.log.dir=/var/log/hadoop-yarn/yarn -Dyarn.log.dir=/var/log/hadoop-yarn/yarn -Dhadoop.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.home.dir=/usr/hdp/2.6.XX.XX-292/hadoop-yarn -Dhadoop.home.dir=/usr/hdp/2.6.XX.XX-292/hadoop -Dhadoop.root.logger=INFO,EWMA,RFA -Dyarn.root.logger=INFO,EWMA,RFA -Djava.library.path=:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.XX.XX-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir -classpath /usr/hdp/2.6.XX.XX-292/hadoop/conf:/usr/hdp/2.6.XX.XX-292/hadoop/conf:/usr/hdp/2.6.XX.XX-292/hadoop/conf:/usr/hdp/2.6.XX.XX-292/hadoop/lib/*:/usr/hdp/2.6.XX.XX-292/hadoop/.//*:/usr/hdp/2.6.XX.XX-292/hadoop-hdfs/./:/usr/hdp/2.6.XX.XX-292/hadoop-hdfs/lib/*:/usr/hdp/2.6.XX.XX-292/hadoop-hdfs/.//*:/usr/hdp/2.6.XX.XX-292/hadoop-yarn/lib/*:/usr/hdp/2.6.XX.XX-292/hadoop-yarn/.//*:/usr/hdp/2.6.XX.XX-292/hadoop-mapreduce/lib/*:/usr/hdp/2.6.XX.XX-292/hadoop-mapreduce/.//*:/usr/hdp/2.6.XX.XX-292/hadoop-yarn/.//*:/usr/hdp/2.6.XX.XX-292/hadoop-yarn/lib/*:/usr/hdp/2.6.XX.XX-292/hadoop/conf/nm-config/log4j.properties org.apache.hadoop.yarn.server.nodemanager.NodeManager""
    }
]

"
                                
containerhostname The name of the server in the container. gamify-answer-bol-5-6876d5dc78-vf****
containerpid The ID of the process in the container. 0
containerimageid The ID of the image. sha256:7fee4a991f7c41c5511234dfea37a2a5c70c894fa7b4ca5c08d9fad74077****
containerimagename The name of the image. registry-vpc.cn-north-2-gov-1.aliyuncs.com/lippi-dingtalk/gamify-answer-bol-start:2020111714****
containername The name of the container. k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e010b62_0****
containerid The ID of the container. b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86****
cmd_chain_index The index of the process chain. You can use an index to search for process chains. P253
cmd_index The index of a parameter in the command line. Every two indexes are grouped to identify the start of a parameter and the end of the parameter. 0,3,5,8
comm The command name related to the process. N/A
gid The ID of the process group. 0
parent_cmd_line The command line of the parent process. /bin/sh -c ip a |grep inet|grep -v inet6|grep -v 127.0.0.1|grep -v 'inet 192.168.'|grep -v 'inet 10.'|awk '{print $2}'|sed 's#/[0-9]*##g'
pid_start_time The time when the parent process was started. 2022-01-12 15:27:46
srv_cmd The command line of the ancestor process. /www/server/panel/pyenv/bin/python /www/server/panel/BT-Task
stime The time when the process was started. 2022-01-12 15:27:46

Process snapshots

Field name Description Example
uuid The UUID of the server where the process runs. 5d83b26b-b7ca-4a0a-9267-12****
ip The IP address of the client host. 1.2.XX.XX
cmdline The complete command to start the process. cmd.exe /C "netstat -ano"
pid The ID of the process. 7100
name The name of the process file. cmd.exe
path The full path of the process file. C:/Windows/SysWOW64/cmd.exe
md5 The MD5 hash value of the process file.
Note The MD5 algorithm is not supported for files that exceed 1 MB.
d0424c22dfa03f6e4d5289f7f5934dd4
pname The name of the parent process file. client.exe
start_time The time when the process was started. This field is built-in. 2018-01-18 20:00:12
user The username. administrator
uid The ID of the user. 123

Logon logs

Note The repeated logon attempts within 1 minute are recorded in one log. The warn_count field indicates the number of logon attempts.
Field name Description Example
uuid The UUID of the server that is logged on to. 5d83b26b-b7ca-4a0a-9267-12****
ip The IP address of the client host. 1.2.XX.XX
warn_ip The source IP address. 1.2.XX.XX
warn_port The logon port. 22
warn_type The logon type. Valid values:
  • SSHLOGIN: Secure Shell (SSH) logon
  • RDPLOGIN: remote desktop logon
  • IPCLOGIN: Internet Process Connection (IPC) connection logon
SSHLOGIN
warn_user The username that is used for the logon. admin
warn_count The number of logon attempts. The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the warn_count field is 3, three logon attempts were performed within one minute. 3

Brute-force attack logs

Field name Description Example
uuid The UUID of the server that is under a brute-force attack. 5d83b26b-b7ca-4a0a-9267-12*****
ip The IP address of the server. 1.2.XX.XX
warn_ip The source IP address. 1.2..XX.XX
warn_port The logon port. 22
warn_type The logon type. Valid values:
  • SSHLOGIN: SSH logon
  • RDPLOGIN: remote desktop logon
  • IPCLOGIN: IPC connection logon
SSHLOGIN
warn_user The username that is used for the logon. admin
warn_count The number of failed logon attempts. 3

Network connection logs

Note Changes in network connections are collected by the server every 10 seconds to 1 minute. The changes are collected from the time when a connection is established to the time when the connection ends.
Field name Description Example
uuid The UUID of the server. 5d83b26b-b7ca-4a0a-9267-12****
ip The IP address of the server. 1.2.XX.XX
src_ip The source IP address. 1.2.XX.XX
src_port The source port. 41897
dst_ip The destination IP address. 1.2.XX.XX
dst_port The destination port. 22
proc_name The name of the process. java
proc_path The path of the process. /hsdata/jdk1.7.0_79/bin/java
proto The protocol. Valid values:
  • tcp
  • udp
  • raw, which indicates raw socket
tcp
status The status of the network connection. For more information, see Status codes of network connections. 5
cmd_chain The process chain.
[
    {
        "9883":"bash -c kill -0 -- -'6274'"
    },
    {
        "19617":"/opt/java8/bin/java -Dproc_nodemanager -Xmx8192m -Dhdp.version=2.6.5.0-292 -Dhadoop.log.dir=/var/log/hadoop-yarn/yarn -Dyarn.log.dir=/var/log/hadoop-yarn/yarn -Dhadoop.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.home.dir= -Dyarn.id.str=yarn -Dhadoop.root.logger=INFO,EWMA,RFA -Dyarn.root.logger=INFO,EWMA,RFA -Djava.library.path=:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir -Dyarn.policy.file=hadoop-policy.xml -Djava.io.tmpdir=/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir -server -Dnm.audit.logger=INFO,NMAUDIT -Dnm.audit.logger=INFO,NMAUDIT -Dhadoop.log.dir=/var/log/hadoop-yarn/yarn -Dyarn.log.dir=/var/log/hadoop-yarn/yarn -Dhadoop.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.log.file=yarn-yarn-nodemanager-s-tencentyun-10-54-42-64.hx.log -Dyarn.home.dir=/usr/hdp/2.6.5.0-292/hadoop-yarn -Dhadoop.home.dir=/usr/hdp/2.6.5.0-292/hadoop -Dhadoop.root.logger=INFO,EWMA,RFA -Dyarn.root.logger=INFO,EWMA,RFA -Djava.library.path=:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native/Linux-amd64-64:/usr/hdp/2.6.5.0-292/hadoop/lib/native:/var/lib/ambari-agent/tmp/hadoop_java_io_tmpdir -classpath /usr/hdp/2.6.5.0-292/hadoop/conf:/usr/hdp/2.6.5.0-292/hadoop/conf:/usr/hdp/2.6.5.0-292/hadoop/conf:/usr/hdp/2.6.5.0-292/hadoop/lib/*:/usr/hdp/2.6.5.0-292/hadoop/.//*:/usr/hdp/2.6.5.0-292/hadoop-hdfs/./:/usr/hdp/2.6.5.0-292/hadoop-hdfs/lib/*:/usr/hdp/2.6.5.0-292/hadoop-hdfs/.//*:/usr/hdp/2.6.5.0-292/hadoop-yarn/lib/*:/usr/hdp/2.6.5.0-292/hadoop-yarn/.//*:/usr/hdp/2.6.5.0-292/hadoop-mapreduce/lib/*:/usr/hdp/2.6.5.0-292/hadoop-mapreduce/.//*:/usr/hdp/2.6.5.0-292/hadoop-yarn/.//*:/usr/hdp/2.6.5.0-292/hadoop-yarn/lib/*:/usr/hdp/2.6.5.0-292/hadoop/conf/nm-config/log4j.properties org.apache.hadoop.yarn.server.nodemanager.NodeManager"
    }
]
pid The ID of the process. 123
ppid The ID of the parent process. 1
container_hostname The name of the server in the container. gamify-answer-bol-5-6876d5dc78-v****
container_pid The ID of the process in the container. 0
container_image_id The ID of the image. sha256:7fee4a991f7c41c5511234dfea37a2a5c70c894fa7b4ca5c08d9fad74077****
container_image_name The name of the image. registry-vpc.cn-north-2-gov-1.aliyuncs.com/lippi-dingtalk/gamify-answer-bol-start:2020111714****
container_name The name of the container. k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e010b62_0****
container_id The ID of the container. b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86****
cmd_chain_index The index of the process chain. An index can be used to search for process chains. P3285
parent_proc_file_name The name of the parent process file. /usr/bin/bash
proc_start_time The time when the process was started. N/A
srv_comm The command name related to the ancestor process. python
uid The ID of the user who started the process. -1
username The name of the user who started the process. N/A

Status codes of network connections

Status code Description
1 closed
2 listen
3 syn send
4 syn recv
5 establisted
6 close wait
7 closing
8 fin_wait1
9 fin_wait2
10 time_wait
11 delete_tcb

Snapshots of port listening

Field name Description Example
uuid The UUID of the server. 5d83b26b-b7ca-4a0a-9267-12****
ip The IP address of the server. 1.2.XX.XX
proto The communication protocol. Valid values:
  • tcp
  • udp
  • raw, which indicates raw socket
tcp
src_ip The IP address of the listener. 1.2.XX.XX
src_port The listener port. 41897
pid The ID of the process. 7100
proc_name The name of the process. kubelet

Account snapshots

Note The account snapshots contain information about the accounts that are detected in your assets.
Field name Description Example
uuid The UUID of the server. 5d83b26b-b7ca-4a0a-9267-12****
ip The IP address of the server. 1.2.XX.XX
user The name of the user. nscd
perm Indicates whether you can log on to the server as a root user. Valid values:
  • 0: no
  • 1: yes
0
home_dir The home directory. /Users/abc
groups The group to which the user belongs. The value N/A indicates that the user does not belong to any group. ["users", "root"]
last_chg The date when the password was last modified. 2017-08-24
shell The Linux shell command. /sbin/nologin
domain The Windows domain. The value N/A indicates that the user does not belong to a domain. administrator
tty The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logon. pts/3
warn_time The date when you are notified of expiring passwords. The value never indicates that notifications are disabled. 2017-08-24
account_expire The date when the account expires. The value never indicates that the account never expires. 2017-08-24
passwd_expire The date when the password expires. The value never indicates that the account never expires. 2017-08-24
login_ip The IP address from which the last remote logon was initiated. The value N/A indicates that the account has not been used for logons. 1.2.XX.XX
last_logon The date and time of the last logon. The value N/A indicates that the account has not been used for logons. 2017-08-21 09:21:21
status The status of the account. Valid values:
  • 0: Logons from the account are not allowed.
  • 1: Logons from the account are allowed.
0